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Abstract. Let E be an elliptic curve defined over a finite field. Balasubrama- 
nian and Koblitz have proved that if the i*^^ roots of unity /if is not contained 
in the ground field, then a field extension of the ground field contains fit if and 
only if the ^-torsion points of E are rational over the same field extension. We 
generalize this result to Jacobians of genus two curves with complex multipli- 
cation. In particular, we show that the Weil- and the Tate-pairing on such a 
Jacobian are non-degenerate over the same field extension of the ground field. 



1. Introduction 



In [Ul, Koblitz described how to use elliptic curves to construct a public key 
cryptosystem. To get a more general class of curves, and possibly larger group 
orders, Koblitz [l2| then proposed using Jacobians of hyperelliptic curves. 

In elliptic curve cryptography it is essential to know the number of points on 
the curve. Cryptographically we are interested in elliptic curves with large cyclic 
subgroups. Such elliptic curves can be constructed. The construction is based on 
the theory of complex multiplication, studied in detail by [H. It is referred to as the 
CM method. The CM method for constructing eUiptic curves has been generalized 
to genus two curves by [i^l, and efHcient algorithms have been proposed by [2I] and 
[^. Both algorithms take as input a primitive, quartic CM field K (see section [U, 
and give as output a genus two^ curve C defined over a prime field Fp. 

After Boneh and Franklin [Si] proposed an identity based cryptosystem by us- 
ing the Weil pairing on an elliptic curve, pairings have been of great interest to 
cryptography 0]. The next natural step was to consider pairings on Jacobians of 
hyperelliptic curves. Galbraith et al Q survey the recent research on pairings on 
Jacobians of hyperelliptic curves. 

The pairing in question is usually the Weil- or the Tate-pairing; both pairings 
can be computed with Miller's algorithm |14]- The Tate-pairing can be computed 
more efficiently than the Weil-pairing, cf. Let C be a smooth curve defined over 
a finite field ¥q, and let dc be the Jacobian of C. Let £ be a prime number dividing 
the number of Fg-rational points on the Jacobian, and let k be the multiplicative 
order of q modulo £. By |10|, the Tate-pairing is non-degenerate on tfc (IFg* ) [^] . By 
2ll . Proposition 8.1, p. 96], the Weil-pairing is non-degenerate on 3c[i]- So if dc[f] 



is not contained in 3c (F,;. ) , then the Tate pairing is non-degenerate over a possible 
smaller field extension than the Weil-pairing. For elliptic curves, in most cases 
relevant to cryptography, the Weil-pairing and the Tate-pairing are non-degenerate 
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over the same field: let E be an elliptic curve defined over Fp, and consider a prime 
number £ dividing the number of Fp-rational points on E. Balasubramanian and 
Koblitz [3| proved that 

(1) if£\p~l, then E[£] C E(¥pk ) if and only if£\p'^-l. 

By Rubin and Silverberg this result also holds for Jacobians of genus two 
curves in the following sense: if £ \ p — 1, then the Weil-pairing is non- degenerate 
on U X V, where U = 3c{^p)[£], V — ker{(p — p) C) 3c[£] and ip is the p-power 
Frohenius endomorphism on 3c- 

The result |(T|) can also be stated as: if £ \ p — 1, then E{¥pk)[£] is bicyclic if and 
only if £\ p^ — 1. In this paper, we show that in most cases, this result also holds 
for Jacobians of genus two curves with complex multiplication. More precisely, the 
following theorem is established. 

Theorem 9. Consider a genus two curve C defined over Fp with End(3c') ~ Ok, 
where K is a primitive, quartic CM field (cf. section\^. Let ujm be a p™-Weil 
number of the Jacobian 3c- Let £ be an odd prime number dividing the number of 
V p-rational points on 3c, and with £ unramified in K , £ \ p and £ \ p — 1. Let p be 
of multiplicative order k modulo £. Then the following holds. 

(i) Lf Lo^ ^ 1 (mod £), then 3c{^p'")[£] is bicyclic if and only if £ divides — 1. 

(a) The Weil-pairing is non-degenerate on 3c{^pi')[£] x 3c (IFp'« ) [^] • 

Notation and assumptions. In this paper we only consider smooth curves. If 
F is an algebraic number field, then Dp denotes the ring of integers of F, and 
Fo = F n E denotes the real subfield of F. 

2. Genus two curves 

A hypereUiptic curve is a projective curve C C P" of genus at least two with a 
separable, degree two morphism : C ^ P^. It is well known, that any genus two 
curve is hypereUiptic. Throughout this paper, let C be a curve of genus two defined 
over a finite field Fg of characteristic p. By the Riemann-Roch Theorem there exists 
a birational map : C ^f^, mapping C to a curve given by an equation of the 
form 

+ 9{x)y = Hx), 

where g,h £ Fq[a;] are of degree Aeg{g) < 3 and deg(/i) < 6; cf. 0, chapter 1]. 

The set of principal divisors J'(C) on C constitutes a subgroup of the degree zero 
divisors Divo(C). The Jacobian 3c of C is defined as the quotient 

ac =Divo(C)/5'(C). 

Let £ ^ phe a prime number. The i?"-torsion subgroup 3c[£^] C 3c of points of 
order dividing £"■ is a Z/£"Z-module of rank four, i.e. 

ac[r] ~ z/rz X z/rz x z/rz x z/rz; 

cf. O, Theorem 6, p. 109]. 

The multiplicative order k oiq modulo £ plays an important role in cryptography, 
since the (reduced) Tate-pairing is non-degenerate over ¥gk; cf. [lo| . 

Definition 1 (Embedding degree). Consider a prime number £ ^ p dividing the 
number of F^-rational points on the Jacobian 3c- The embedding degree of 3c^q) 
with respect to £ is the least number fc, such that g*^ = 1 (mod I). 
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Closely related to the embedding degree, we have the full embedding degree. 

Definition 2 (Full embedding degree). Consider a prime number i ^ p dividing 
the number of F^-rational points on the Jacobian 3c- The full embedding degree 
of dci^q) with respect to £ is the least number x, such that dc[£] C Sci^q")- 

Remark 3. U3c[i] ^ Sci^q"), then £ | cf. 0, Corollary 5.77, p. 111]. Hence, 

the full embedding degree is a multiple of the embedding degree. 

A priori, the Weil-pairing is only non-degenerate over Fg^. But in fact, as we 
shall see, the Weil-pairing is also non-degenerate over Fgk . 

3. The Weil- and the Tate-pairing 

Let F be an algebraic extension of Fg. Let x G 3c(F)[£] and y = J2i ^i^i ^ Sc{^) 
be divisors with disjoint supports, and let y G 3c(F)/^3c(F) denote the divisor class 
containing the divisor y. Furthermore, let fx G F(C) be a rational function on C 
with divisor div(/^) = £x. Set f^iy) = HifiPi)""- Then ei{x,y) = fx{y) is a 
well-defined pairing 

e, : dcim^] X 3c(F)/^3c(F) — ^ FV(F^)^ 

it is called the Tate-pairing; cf. [2]. Raising the result to the power ^—j-^ gives a 
well-defined element in the subgroup //£ C F of the roots of unity. This pairing 

ee : dci^W] x ac(F)/^3c(F) 

is called the reduced Tate-pairing. If the field F is finite and contains the t"^ roots 
of unity, then the Tate-pairing is bilinear and non-degenerate; cf. (lo| . 
Now let x,y € dc[P\ be divisors with disjoint support. The Weil-pairing 

et ■■ 3c\(\ X 3c\(\ ^ m 

is then defined by ee{x,y) = . The Weil-pairing is bilinear, anti-symmetric 

and non-degenerate on 3c [^] x 3c [^] ; cf . ■ 

4. Matrix representation of the endomorphism ring 

An endomorphism ip : 3c ^ 3c induces a linear map -0 : dci^] ^ 3c M by 
restriction. Hence, ip is represented by a matrix M G Mat4(Z/i'Z) on 3c[^]- Let 
/ G Z[X] be the characteristic polynomial of (see [13. pp. 109-110]), and let 
/ G {Z/£Z)[X] be the characteristic polynomial of i/i. Then / is a monic polynomial 
of degree four, and by [3, Theorem 3, p. 186], 

f{X) = f{X) {mode). 

Since C is defined over F,, the mapping {x,y) i-^ (x'',y') is a morphism on C. 
This morphism induces the g-power Frobenius endomorphism (p on the Jacobian 3c- 
Let P{X) be the characteristic polynomial of (p. P{X) is called the Weil polynomial 
of 3c, and 

\3c{¥q)\ ^ P{1) 

by the definition of P{X) (see [13, pp. 109-110]); i.e. the number of F^-rational 
points on the Jacobian is P{1). 



4 



C.R. RAVNSH0J 



Definition 4 (Weil number). Let notation be as above. Let Pm{X) be the charac- 
teristic polynomial of the (/"-power Frobenius endomorphism (pm on 3c- Consider 
a number ujm € C with Pm(jjJm) = 0. If Pm{X) is reducible, assume furthermore 
that ojm and ipm are roots of the same irreducible factor of Pm{X). We identify Lp^ 
with LOm^ and we call a q'^-Weil number of 3c- 

Remark 5. A q™-Weil number is not necessarily uniquely determined. In general, 
P,n{X) is irreducible, in which case 3c has four g™-Weil numbers. 

Assume Pm{X) is reducible. Write PmiX) — f{X)g{X), where f,g £ Z[X] are 
of degree at least one. Since Pmi'Pm) = 0, either fipm) = or g(pm) — 0; if not, 
then either f{(pm) or g{pm) has infinite kernel, i.e. is not an endomorphism oi3c- 
So a g™-Weil number is well-defined. 



5. CM FIELDS 

An elliptic curve E with Z ^ End(i?) is said to have complex multiplication. Let 
K be an imaginary, quadratic number field with ring of integers Dk- K is a CM 
field, and if End(£^) ~ Ok, then E is said to have CM by Ok- More generally a 
CM field is defined as follows. 

Definition 6 (CM field) . A number field is a CM field, if /iT is a totally imaginary, 
quadratic extension of a totally real number field Kg. 

In this paper only CM fields of degree [K : Q] ^ 4 are considered. Such a field 
is called a quartic CM field. 

Let C be a genus two curve. We say that C has CM by Dk, if End(3c') — Dk- 
The structure of K determines whether 3c is simple, i.e. does not contains an 
abelian subvariety other than {0} and itself. More precisely, the following theorem 
holds. 

Theorem 7. Let C be a genus two curve with End(3c') ~ Ok, where K is a 
quartic CM field. Then 3c is simple if and only if K/ Q is Galois with Galois group 

Gal{K/Q) ~ Z/2Z x Z/2Z. 

Proof. [2fl, proposition 26, p. 61]. □ 

Theorem [7] motivates the following definition. 

Definition 8 (Primitive, quartic CM field). A quartic CM field K is called primi- 
tive if either K/Q is not Galois, or K/Q is Galois with cyclic Galois group. 



6. Non-cyclic subgroups of 3c 

Let K he a primitive, quartic CM field. By the CM method (see [j^. \^). we 
can construct a genus two curve C with End(3c') — Ok- The following theorem 
concerns such a curve. 
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Theorem 9. Consider a genus two curve C defined over ¥p with F,Tid{3c) — i^if , 
where K is a primitive, quartic CM field. Let tOm be a - Weil number of the 
Jacobian 3c- Let £ be an odd prime number dividing the number of ¥ p-rational 
points on 3c, and with £ unramified in K , £ \ p and£ \ p—1. Letp be of multiplicative 
order k modulo £. Then the following holds. 

(i) If oJm ^ 1 (mod £), then 3c{¥p'n)[£] is bicyclic if and only if £ divides — 1. 
(a) The Weil-pairing is non-degenerate on 3c{¥'pk)[£] x 0c'(Fpfc)[^]. 

In the following, let Pm G be the characteristic polynomial of the 

restriction of (pm to 3c[£]- The proof of Theorem [9] uses a number of lemmas. 

Lemma 10. Let notation and assumptions be as in Theorem [H Let i : Dk 
End(3c) be an isomorphism. Consider a number a G Dk- ^fker[^] C ker(i(a)") 
for some number n S N, then ker[^] C ker(^(a)). 

Proof. Since ker[£] C ker(i(a)"), it follows that z(a)" = £l3 for some endomorphism 
P G End(ac); see e.g. [ll, Remark 7.12, p. 37]. Notice that (3 = = i{(3) for 

some number /3 G Ok- Hence, a" = £/3 G £Ok- Since £ is unramified in K, it 
follows that a G £Ok- So ker[^] C ker(i(Q!)). □ 

Lemma 11. Let notation and assumptions be as in Theorem\^ Ifi^m ^ 1 (mod £), 
then 3c{¥pm)[i] is of rank at most two as a 'Z/£Z-module. 

Proof. Since £ \ \3c{¥p)\, 1 is a root of Pm. Assume that 1 is a root of Pm of 
multiplicity v. Since the roots of Pm occur in pairs {a,p™/a), also p™ is a root of 
Pm of multiplicity v. 

If 3c{¥q'r.)[£] is of rank three as a Z/£Z-module, then £ divides - 1 by 0, 
Proposition 5.78, p. 111]. Choose a basis CB of 3c[P\- With respect to ®, ipm is 
represented by a matrix of the form 



M = 



10 mi 

1 m2 

1 7713 

7774 



Now, 7774 = detM = Aegipm = P^'" = 1 (mod £), so P,„(X) = {X - l)^. Since £ 
is unramified in K, it follows that Um = 1 (mod ^); cf. Lemma flOl This is a 
contradiction. So 3c(]Fp"»)[^] is of rank at most two as a Z/^Z- module. □ 

Lemma 12. Let notation and assumptions be as in Theorem\^ If^m ^ 1 (mod £), 
then P{X) is irreducible. 

Proof. The Jacobian tJ(7 is simple by Theorem[7l Assume P„i(X) is reducible. Then 
Pm (X) = f{XY for some integer e G Z and some irreducible polynomial / G Z[Ar] 
by [ii Theorem 8, p. 58]. Notice that e G {2,4}. If uom i K, then (Q(a),„) C X is 
an imaginary, quadratic number field and K is the composition of Kq and Q(wm), 
i.e. Gal(X/Q) is bicyclic. This is a contradiction. So Um G M, i.e. = p™. 
If LOm G Q, then f{X) = X - I (mod £) because Pm{l) = 0. But then ujm = 1 
(mod £). This is a contradiction. So ^ Q, e = 2 and f{X) = X'^ - p™. Hence, 
Pm{X) = (A:^ -p'")2. Since P„(l) = 0, it follows that = p" = 1 (mod £). 
This is a contradiction. So Pm{X) is irreducible. □ 
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Proof of Theorem[E Assume that Sci'^p'-W] is bicyclic. If ^ 1 (mod (), then 
1 is a root of P™ of multipHcity two, i.e. ^ {X - 1)^{X - p"'f. P{X) is 

irreducible by Lemma [l2l Hence, by [3, Proposition 8.3, p. 47] it follows that (. 
ramifies in K. This is a contradiction. So = 1 (mod £), i.e. (. \ — 1. 

On the other hand, if £ | — 1, then the Tate pairing is non-degenerate on 
3c(IF'p™)[^]- So 3c (IFpm ) [^] must be of rank at least two as a Z/^Z-module, since 
£ \ p — 1. Hence, 3c (IFp"« ) [i?] is bicycHc by Lemma [TTJ The proof of Theorem [9l 
part (HI is established. 

Now let TO = fc. If ojk = 1 (mod £), then dc[£] = 3c(Fpfc)M, and Jul follows. 
Assume that ujk ^ 1 (mod £). Let U = dc{Vp)[£] and V = ker((/?-p) n3cM, where 
(fi is the p-power Frobenius endomorphism on 3c- Then V = 3c{^pi')[£] \ dci^p)[^] 
by Lemma [m and 

ac(v)M - © ^ - X ^/^z- 

By the Weil-pairing evy is non-degenerate onU xV. Now let x € £fc(]Fpfc)[^] be 
an arbitrary F^fe -rational point of order £. Write x — xij + xy , where xjj € U and 
xv € V^. Choose y V and z dU, such that evi/(a;t/, y) 7^ 1 and evi/(a^y:-z) 7^ 1- 
We may assume that ewixu, y) ■ ew{xv, z) ^ 1; if not, replace z by 2z. Since the 
Weil-pairing is anti-symmetric, ew{xuTz) = ew{xv,y) = 1. Hence, 

ew{x, y + z):^ ew{xu,y) ■ ew{xv, z) ^ 1. 

□ 
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